Windows server - Windows Filtering Platform has blocked a packet

[M-Struck]

I'm still piloting/learning LME. I thought things were working fine with just two pilot Windows servers setup. However, when the Elastic Agent is running, the Event Viewer shows Audit Failures occurring every 1-3 seconds, generating 1000s of audit entries. This message is repeated with only the destination port changing:

The Windows Filtering Platform has blocked a packet.

Application Information:
Process ID: 0
Application Name: -

Network Information:
Direction: Inbound
Source Address: x.x.x.x
Source Port: 9200
Destination Address: z.z.z.z
Destination Port: 53241
Protocol: 6

Filter Information:
Filter Run-Time ID: 148600
Layer Name: Transport
Layer Run-Time ID: 13

The Source Address is the IP of our LME server and the Destination Address is the Windows server. This scenario happens on both servers. Shutting down Elastic Agent makes it stop and a Windows Firewall rule to allow the LME server on port 9200 does nothing to help.

Endless web searching doesn't point me to anything or a solution. Any ideas?

[cbaxley]

Traffic should be flowing to the LME server on 9200 and coming back at that higher port number.
You need to make sure that the firewall is open on the LME server, or just disable the firewall on LME server while you're testing.
It looks like this is a lower-level thing blocking it because there's its process ID 0 that's like the very first thing loaded.
Try running this on the Windows server, and let's see what might be blocking it.

netsh wfp show filters

[cbaxley]

So do these show up in the LME dashboards or logs in the Elasticsearch Indices?
Where are you finding them?
If you installed an Elasticsearch client on the LME machine, that might be what is causing the errors.
I am trying to figure out if they are Windows errors that are showing up in LME or they are the errors from an additional client installed on the LME server.

[M-Struck]

Yes, these events show in the User Security dashboard (more just counts) and logs-* data view if I search for event 5152. I searched for Elastic packages installed and didn't see anything like client.

[cbaxley]

Ok. I am thinking the "ACK" coming back from the LME server is being rejected on that high port. So you might have to tell the Windows Firewall to allow everything for that app/service. Since we know the packets are making it to the LME server, then it is just the communication back that seems to be the problem.
Did you try this:

netsh wfp show filters

[M-Struck]

I created a firewall rule to allow all traffic inbound and outbound for the the Elastic Agent service, same result after starting the agent. I couldn't find anything related to the event id or filter run-time ID in the list of filters. It's definitely something with the Windows Firewall though. Temporarily stopping caused the audit failures to stop.

[M-Struck]

I don't normally give up but did on this one. Thought it might be our EDR, disabled it temporarily and had no change. I ended up adding a processors drop event for "Security" under "Collect events from the Windows event log" in the Elastic Fleet System Integration. That greatly reduced all the events on both LME pilot hosts. We now only get an occasional audit failure that we can investigate.